David Pheasant wrote: > Hey everyone, > > I accidentally sent an earlier (unfinished) version of this message to > the list, but hopefully it was moderated out. In any case, I'm > wondering about the best way to manage the contents of a single file > from multiple modules or maninfests/classes within the same module. > Specifically, I'm trying to manage the entries in /etc/pam.d/system- > auth-ac (we're running RedHat). > > Currently we have a module called 'unix-srr' that implements the DISA > unix security guidelines. One of the classes within this module (unix- > srr::pam) implements security settings that are involved with the > system-auth-ac file (password requirements, password history, su > usage). All the unix-srr::pam class does is define a file type that > updates/ensures the local file matches the version in the unix-srr/ > files/etc/pam.d/ module directory on the puppetmaster. > > Given the above scenario, what would be the best way to add the > ability to configure kerberos based authentication? This will also > require edits to the system-auth-ac file. I would like to put this > into a separate module/class since not all sites will need/require > kerberos authentication. As I see it there are two options: > > 1. Another class that re-implements the file based approach where the > source system-auth-ac file already includes the unix-srr changes. > The thread http://groups.google.com/group/puppet-users/browse_thread/thread/3f6c8cfb36adf6f6 has some ideeas about how to do this.
> 2. Another class that implements an Augeas based solution. > > I think that we can all agree that Option 1 is a kludge since any > changes to the unix-srr version of the system-auth-ac file will also > have to be made to the kerberos-auth version; otherwise we'd have one > overwriting the other in an infinite loop. Option 2 is viable, but I > am annoyed by the amount of time that is required for changes via > Augeas since by default Augeas parses all files under /etc/. I have > tried setting the 'root' option of the augeas type to '/etc/pam.d/' > but this does not work as expected (I also tried this with augtool via > the AUGEAS_ROOT environment variable and it failed as well, so this is > an issue with Augeas and not puppet). > Are you sure it's augeas's fault? But if you say that augtool behaves the same you're probably right. I haven't noticed this issue on my system... Maybe old version of augeas/puppet? Maybe it's because you wrote the message fast but shouldn't the root be /files/etc/pam.d ? Hope I helped in any way :"> Silviu > So, does anyone have a suggestion for how to deal with this? I'm > pretty new to puppet so it may well be possible that the layout > described above is fundamentally flawed. > > Thanks in advance, > > -Dave > > -- > > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
